Yii::app()->User->Checkaccess()) Not Working

daredevil · September 12, 2013, 9:54am

I have created the tables AuthItem,AuthAssignment and AuthItemChild and assigned roles as given in the yii rbac tutorials.

In my test controller when im using the following code it is giving me undefined constant.

TestController:


public function actionIndex()

{

	$auth=Yii::app()->authManager;


	if($auth->isAssigned(Yii::app()->user->role,Yii::app()->user->id))

	{

		ChromePhp::log(Yii::app()->user->role);

		if(Yii::app()->user->checkAccess(‘createProfile’))

			ChromePhp::log('allowed');

	}		

	$this->render('index');

}

Here when the user who is admin logs in, i get to know that he is admin through Yii::app()->user->role but i am getting an error in the following line:


if(Yii::app()->user->checkAccess(‘createProfile’))

Error: Use of undefined constant ‘createProfile’ - assumed "createProfile"

Error in stack trace:


Use of undefined constant ‘createProfile’ - assumed

'‘createProfile’'

(/home/chirag/workspace/projects/drkonnect/drkonnect/web/protected/controllers/TestController.php:12)

Stack trace:

#0

/home/chirag/workspace/projects/drkonnect/drkonnect/yii/framework/web/CController.php(286):

TestController->runAction()

#1

/home/chirag/workspace/projects/drkonnect/drkonnect/yii/framework/web/CController.php(265):

TestController->runActionWithFilters()

#2

/home/chirag/workspace/projects/drkonnect/drkonnect/yii/framework/web/CWebApplication.php(282):

TestController->run()

#3

/home/chirag/workspace/projects/drkonnect/drkonnect/yii/framework/web/CWebApplication.php(141):

CWebApplication->runController()

#4

/home/chirag/workspace/projects/drkonnect/drkonnect/yii/framework/base/CApplication.php(169):

CWebApplication->processRequest()

#5 /home/chirag/workspace/projects/drkonnect/drkonnect/web/index.php(13):

CWebApplication->run()

REQUEST_URI=/index.php?r=test

in

/home/chirag/workspace/projects/drkonnect/drkonnect/web/protected/controllers/TestController.php

(12)

in /home/chirag/workspace/projects/drkonnect/drkonnect/web/index.php (13)

thanks in advance…!!!

nineinchnick · September 12, 2013, 10:18am

You are using wrong characters as single quotes. Did you copy the code from some web page? It must have rendered them differently.

See the difference in syntax highlight:




// wrong

if(Yii::app()->user->checkAccess(‘createProfile’))




// right

if(Yii::app()->user->checkAccess('createProfile'))

daredevil · September 12, 2013, 10:36am

nineinchnick:

You are using wrong characters as single quotes. Did you copy the code from some web page? It must have rendered them differently.

See the difference in syntax highlight:
// wrong

if(Yii::app()->user->checkAccess(‘createProfile’))
// right

if(Yii::app()->user->checkAccess('createProfile'))

Thankyou for pointing out the mistake…Its working now…!!

I would like to ask one more thing,

On top of my hierarchy,I have admin and i am logging as admin but in case of createProfile operation its returning me false.

Basically doctor can perform createProfile operation and admin is above doctor, so it should return true in his case.??

traprajith · September 12, 2013, 11:04am

put a condition in or part


if(Yii::app()->user->checkAccess('Admin'))

daredevil · September 12, 2013, 11:44am

Thank you so much…

I want to clarify my doubt that CWebUser class has function: checkAccess($operation,$params=array(),$allowCaching=true), here its taking $operation as its parameters and in the above condition we are passing ‘Admin’ which is a role.

I am little confused about it…

nineinchnick · September 12, 2013, 1:08pm

I took me quite long time to get how RBAC works. I like to use this example:




        some profile (role)

      /     |        |      \

  read own  |    update own  delete own (operators, a set for each model)

    /       |        |        \

  read    create   update   delete (operators, a set for each model)

   \        |        |        /

    \       |        |       /

        can do something (operator)

Now when you call checkAccess() on any of this auth item it traverses the tree upwards. When any auth item got a bizrule, it is evaluated and if it’s false checkAccess() stops following that branch.

When any item is assigned to a user, checkAccess() returns true.

Auth items should be connected in such way that more restrictive items are higher in the tree.

When assigning items to roles always try to choose the highest possible item (start with least amount of privileges).

When calling checkAccess() always try to choose the lowest possible item to avoid having multiple checkAccess() calls.

This is bad:




if (Yii::app()->user->checkAccess('read Model') || Yii::app()->user->checkAccess('read own Model'))

This is better:




if (Yii::app()->user->checkAccess('read Model'))

If you would assign ‘read own Model’ to a profile checking for ‘read Model’ will pass.

Now if you want an ‘Admin’ role, just assign all elements to it.

daredevil · September 12, 2013, 5:22pm

nineinchnick:

I took me quite long time to get how RBAC works. I like to use this example:
        some profile (role)

      /     |        |      \

  read own  |    update own  delete own (operators, a set for each model)

    /       |        |        \

  read    create   update   delete (operators, a set for each model)

   \        |        |        /

    \       |        |       /

        can do something (operator)
Now when you call checkAccess() on any of this auth item it traverses the tree upwards. When any auth item got a bizrule, it is evaluated and if it’s false checkAccess() stops following that branch.

When any item is assigned to a user, checkAccess() returns true.

Auth items should be connected in such way that more restrictive items are higher in the tree.

When assigning items to roles always try to choose the highest possible item (start with least amount of privileges).

When calling checkAccess() always try to choose the lowest possible item to avoid having multiple checkAccess() calls.

This is bad:
if (Yii::app()->user->checkAccess('read Model') || Yii::app()->user->checkAccess('read own Model'))
This is better:
if (Yii::app()->user->checkAccess('read Model'))
If you would assign ‘read own Model’ to a profile checking for ‘read Model’ will pass.

Now if you want an ‘Admin’ role, just assign all elements to it.

Thanks a lot…!!!

This helped me clear me doubts…